Hey, guys! The title of this topic is pretty cool, isn't it? Anyway, I'm new here, hello again... and I'm also new to using keygens to register products, I've never used a keygen before (seriously, believe it or not haha) I usually use plugins that don't require this type of activation. I recently downloaded the Helix Native 3.60 plugin (it's actually a really cool plugin) from the R2R team on the Audio Warez website as usual, and this product requires this activation method. As I am a very paranoid person about the use of keygens, I decided to run a scan on virustotal to see the results.

First of all, i want to inform that i'm not accusing the R2R team, but rather, just an observation i made to clarify a doubt about the file in question. So let's go...

As previously mentioned, I had scanned the file in VT and when looking at the “behavior” tab I noticed that the analysis accuses the .exe of communicating externally with some IP addresses, accuses it of changing several registry keys, accuses it of deleting temporary files and to create some more files in addition to the only one he really needs. After observing these results, I decided to create a virtual machine to do my own practical analysis to observe the behavior of the executable and compare it with the results presented in VT.


And...the results were quite different.

Just to clarify...i'm not a pro, i'm just a regular dude who wants to know how to identify a suspect behaviour in a executable program, and i may be wrong in some spots.

I used the following tools to analyze the program:


- Process Monitor

- Process Hacker 2


First, I will show the results from VirusTotal and then, I will compare some points from VT's analysis with mine.


* Virus Total Scan Results:

Detection link:

https://www.virustotal.com/gui/file/de7b1712c275686ef014a617d3e7b8eb5343c24a84f2f861628fecc43d9a04e8

Behavior tab

- IP Addresses:


- Files Dropped:

- Registry Keys:



- Virus Total VS my own analysis

- IP Addresses and Network communications:


Whoops, looks like there's no network communication at all..what's wrong with you virus total??

I also made some string search in the keygen executable to see if there's something hidden related to network communication.. i found nothing.

- Registry Keys:


Indeed, keygen makes some changes to the registry keys and that's obvious because it really needs to, but it doesn't change all these registry keys shown by the VT results!

- Files dropped:

Again... virustotal's analysis shows that it dropped many .tmp files in the directories in question. But I did a search in each tmp folder, including the directory shown in the analysis and I didn't see any temporary files related to the keygen in any of them. The only file it drops is "purchaseV2.dat" which is normal, as it needs it for the activation to work.

Seriously, why did virustotal accuse the keygen of having external communication when it doesn't? And why would it need an internet connection to activate? (unless the R2R team is watching us lol) What do you guys think about this? Have you ever had any slow internet or computer problems after using this team's keygens? Probably not, they seem to be quite reliable. Tell me what you think of all this.. thanks for your attention

 

Last edited: Sep 29, 2023

Here is the full string file if you want to see it:

 

And here is another image that shows that there are no external ip addresses communicating... generally this tab informs the IP addresses used by the application.



Another detail that I forgot to mention, I did the entire process with the application running for better results in supposed detections, if they existed.

 

You do realize a GREAT many of those "virus checkers" ("virus total" being one of the worst), especially the online/cloud types, are mainly nothing more than corporate buzzkills for warez of any kind regardless of whether it contains any sort of real malware or virus. It's just another one of the industry's methods of keeping a lid on cracked stuffz. The dev corp's throw signatures for their stuff into A/V's so that it simply deletes the stuff out of a hat if it finds their product installed on a system that is "out of character". Doesn't actually matter if there is an actual virus or malware existing from the install. Good A/V's will scan and report if there is a known virus or malware and leave most everything else alone (false positives) - but even the good ones are not entirely immune to going after non-infected non-malware based cracked installs either. Keygens used to be notorious for false positives on A/V's due to the ways they operate being considered as "suspicious" to the average A/V. Some of them use packed code to obfuscate means of identification which is also false positive. Solution: use as non-biased, but EFFECTIVE virus scanner as you can and break apart the pieces of the installers before scanning. Most installers are INNO based these days and can be broken apart quickly with INNOextract and the pieces viewed and scanned. My particular A/V that i've used for years is Symantec Endpoint. Best advice is avoid DL's from public torrent trackers. Always scan the broken apart installer stuff with an unbiased scanner/malware utility if there are any doubt's take the stuff over to a test machine with sandboxie and run it all. If you're still that paranoid maybe the scene is not for you after all.

 

Thanks for the great explanation, I don't download torrents anywhere because I don't trust them. I only download from audio warez precisely because I trust this source more where everyone here in the community is very communicative and offers great support to others, sharing information with each other. That's why I'm trying to find out more about this subject. Lately I've been trying to understand more and more how this A/V and crack detection process works. I'm paranoid, but you can be sure that more paranoid than I am, are these A/V scanners, a few months ago I decided to do a test... I wrote a simple login code in C++ and soon after, I myself "cracked" the my own program. Then I uploaded it to virustotal and it detected it as a trojan and other types of malware, and the only thing I did was break the login password.

 

Thanks for the interesting analysis @Kent29.

 

I'm not an expert so won't really go far but I had a recent experience with Virus Total where I checked a file and had +/- 2 detections and turns out that file was actually a Ransomware. Kaspersky solved the problem right away, didn't even sweat... but kinda raise a few questions in my head regarding how efficient Virus Total is.

 

This was a terrible failure of virustotal. I'm glad you solved the case... But was the file you downloaded an audio plugin or was it any other type of software?

 

Do you understand heuristics detection? You are showing this list of IP addresses and every one of them is either on port 80 or port 443. Http/Https. the very last one is DNS related.

All or nearly all, of these programs have some functionality to report statistics, open the vendor's home page on their website, and to check for updates. Did you bother to check where/what/who those IP addresses actually are? Neither would Virus Total, and you are doing this manually.

The Virus Total results will show you how many sandboxes detected a problem. " 3 security vendors and no sandboxes flagged this file as malicious"

These scans can and often will generate False Positives. And the "Security Vendors" who they rely on to flag these results? How many customers do you think they get who see one vendor "finding stuff better than all the others"? People see that sort of information, assume that is the best AV, and then go buy something from them.

If you ran this program, and had all outbound solicitations blocked and reporting details; you would see any attempt at outbound connections being logged/alerted by your firewall application. Which will be either 0 or the vendor's real website. Especially when you scan the application installer along with the keygen.

Do you honestly believe a company such as Virus Total would offer this kind of free web based scanner just to be altruistic? They are in the business of selling AV solutions. If you have seen commercials for Home Security companies on TV, many of them offer to come out to your residence; do some checking, figure out some things, and then recommend their ideas and solutions to you.

How often do you think they go to someones house and say that it is a great neighborhood, the house is sealed up like a drum and safer than Fort Knox, etc? Never.

 

Last edited: Sep 29, 2023

Not at all an audio plugin, it had no connection with music production whatsoever, was just a turkish kid trying to scam me on discord.

 

I've read something about it, but I haven't gone into much depth on the subject yet.

Yes, I did a search with one of these IP addresses and ended up coming across this topic here on reddit: https://www.reddit.com/r/CrackSupport/comments/11qlzp6/doubt_about_dodirepacks/?rdt=36732 where some of the same ips addresses:

192.229.211.108:80 (TCP)
20.99.133.109:443 (TCP)
20.99.184.37:443 (TCP)
23.216.147.64:443 (TCP)

also appear in the detection reported on this forum. I find this a bit strange coming from VirusTotal.

I really didn't have any connection attempts from the application. But I believe that there are programs that are truly malicious that manage to connect behind the "scenes" without the user knowing and that not even the firewall was able to detect the connection attempt.

 

Oh i got it...damn kids...

 

Keygens, even if they are "only" generating keys on screen without writing anything in Windows reg and/or anywhere else on your HD are considered as threads by many AV (but not all of them).
No big new.
It has been the case for at least the last 20 years.
Win Defender is a perfect exemple here.

 

Reddit is like Wikipedia. You can get some preliminary information from it; but you should not use it as a source of "research", especially if other sources are available.

You could even predict those kinds of results coming; when you find someone posting on reddit with the same exact batch of IP addresses.

 

Yes, I agree with you...you're right. In fact, I mentioned reddit because I found someone who did a detection of a different file and virustotal pointed to the same IP addresses.

My goal here is to show that virustotal can add information to detection where it actually doesn't exist. Something I had been suspecting for a while now.

 

Windows Defender is a master at keygen detection.

 

Run sandboxed and check is connection established with wireshark, some kg from r2r are processing registration also like for t-racks, so not only generating a numbers...r2r are big guys in this game over decade...there can be two sides anyway...but i use it because i do NOT store any important info on my pc and also reformating time to time...imagine r2r is making biggest bot network in history haha who will know :P

 

I am not sure about "adding information", but it has no filter or summary which would make it's results more useful. You should be able to run 50 different scanners against the file and not get 49 different results. All heuristics scanning does is look into a file for patterns that it can detect as similar to other "known threats". The problem with that, is those other "threats" are never reported back to them as being BS in the first place. So it is just creating a collection of stuff that looks like other stuff, with no learning whatsoever.

Another reason why R2R keygens get flagged is because they take certain measures to protect their keygens from other "crackers" who would steal their work, make it look a little different, repack it and then release it as "their own work". So when Virus Total encounters a file that has encryption that it cannot really look into; rather than give you a result that says they can't tell; it will throw suspicion at the file. If other "security vendors" are the source of such useless info; VT have plausible deniability. If it's scan results reporting comes back with "Don't Know, Can't Tell"; who would use it? They are not in the business of selling to people who know what they are doing.

 

Excellent information buddy... Thanks for clarifying more about the subject and also how the r2r keygen works. I'm going to study more about heuristic detections to learn more about the subject.